rdo/rdo.c

#include <pwd.h>
#include <err.h>
#include <shadow.h>
#include <crypt.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <bsd/readpassphrase.h>
#include "sessions.h"

#define VERSION "1.3"

void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {
	char* line = NULL;
	size_t len = 0;

	fseek(fp, 0, SEEK_SET);

	while (getline(&line, &len, fp) != -1) {
		if (strncmp(entry, line, strlen(entry)) == 0) {
			strtok(line, "=");
			char* token = strtok(NULL, "=");
			if (token) {
				strncpy(result, token, len_result);
				result[strcspn(result, "\n")] = 0;
				free(line);
				return;
			}
		}
	}

	errx(1, "Could not get '%s' entry in config", entry);
}

void runprog(char** program_argv) {
	if (setuid(0) < 0)
		err(1, "Could not setuid");
	if (setgid(0) < 0)
		err(1, "Could not setgid");

	 // NOTE: this does not return when no error occurred.
	execvp(program_argv[0], program_argv);

	err(1, program_argv[0]);
}

int main(int argc, char** argv) {
	char username[64], wrong_pw_sleep[64], session_ttl[64], password[128];
	unsigned int sleep_us, tries, ts_ttl;

	if (argc == 1) {
		printf("RootDO version: %s\n\n", VERSION);
		printf("Usage: %s [command]\n", argv[0]);
		return 0;
	}

	if (geteuid() != 0)
		errx(1, "The rdo binary needs to be installed as SUID.");

	int ruid = getuid();
	if (ruid == 0)
		runprog(&argv[1]);

	FILE* fp = fopen("/etc/rdo.conf", "r");

	if (!fp)
		err(1, "Could not open /etc/rdo.conf");

	getconf(fp, "username", username, sizeof(username));
	getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));
	getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));
	sleep_us = atoi(wrong_pw_sleep) * 1000;
	ts_ttl = atoi(session_ttl) * 60;

	fclose(fp);

	if (getsession(getppid(), ts_ttl) == 0)
		runprog(&argv[1]);

	struct passwd* p = getpwnam(username);
	if (!p) {
		if (errno == 0)
			errx(1, "The user specified in the config file does not exist.");
		else
			err(1, "Could not get user info");
	}

	int uid = p->pw_uid;
	if (uid != ruid)
		errx(1, "You are not allowed to execute rdo.");

	struct spwd* shadowEntry = getspnam(p->pw_name);

	if (!shadowEntry || !shadowEntry->sp_pwdp)
		err(1, "Could not get shadow entry");

	tries = 0;
	while (tries < 3) {
		if (!readpassphrase("(rdo) Password: ", password, sizeof(password), RPP_REQUIRE_TTY))
			err(1, "Could not get passphrase");

		char* hashed_pw = crypt(password, shadowEntry->sp_pwdp);
		memset(password, 0, sizeof(password));
		
		if (!hashed_pw)
			errx(1, "Could not hash password, does your user have a password?");

		if (strcmp(shadowEntry->sp_pwdp, hashed_pw) == 0) {
			setsession(getppid(), ts_ttl);
			runprog(&argv[1]);
		}

		usleep(sleep_us);
		fprintf(stderr, "Wrong password.\n");
		tries++;
	}
	errx(1, "Too many wrong password attempts.");
	return 1;
}
First Commit 2021-07-13 21:33:12 +02:00			`#include <pwd.h>`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`#include <err.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <shadow.h>`
			`#include <crypt.h>`
			`#include <unistd.h>`
			`#include <stdio.h>`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00			`#include <stdlib.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <string.h>`
Get passphrase from TTY This is required for #1. 2021-07-13 22:23:27 +02:00			`#include <bsd/readpassphrase.h>`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`#include "sessions.h"`
First Commit 2021-07-13 21:33:12 +02:00
Clear password after we're done using it Previously, the password would not be cleared after we hashed it with crypt(), which lead to the password staying in memory for the duration of program runtime. This was only really an issue for incorrect passwords, as execve() purges our memory anyway, but attackers could use an incorrect but mostly correct password for privilege escalation. Due to this being a security issue, this commit also introduces rdo version 1.3. Fixes #7 2022-02-07 14:37:54 +01:00			`#define VERSION "1.3"`
Add version and usage if no arguments are given. 2021-07-17 18:29:39 +02:00
Add error message for faulty config 2021-07-13 23:31:23 +02:00			`void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`char* line = NULL;`
			`size_t len = 0;`

			`fseek(fp, 0, SEEK_SET);`

			`while (getline(&line, &len, fp) != -1) {`
			`if (strncmp(entry, line, strlen(entry)) == 0) {`
			`strtok(line, "=");`
			`char* token = strtok(NULL, "=");`
			`if (token) {`
			`strncpy(result, token, len_result);`
			`result[strcspn(result, "\n")] = 0;`
Fix memory leak in getconf() As getline() calls malloc() to allocate new memory for our usage, we have to free() it after. 2021-07-18 23:34:31 +02:00			`free(line);`
Add error message for faulty config 2021-07-13 23:31:23 +02:00			`return;`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`}`
			`}`
			`}`

Add error message for faulty config 2021-07-13 23:31:23 +02:00			`errx(1, "Could not get '%s' entry in config", entry);`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`}`

Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`void runprog(char** program_argv) {`
Normalize the way we check for errors 2021-07-16 00:38:50 +02:00			`if (setuid(0) < 0)`
Check return values of setuid() and setgid() 2021-07-14 06:12:50 +02:00			`err(1, "Could not setuid");`
Normalize the way we check for errors 2021-07-16 00:38:50 +02:00			`if (setgid(0) < 0)`
Check return values of setuid() and setgid() 2021-07-14 06:12:50 +02:00			`err(1, "Could not setgid");`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`// NOTE: this does not return when no error occurred.`
			`execvp(program_argv[0], program_argv);`
Move type declerations to start of main 2021-07-15 16:17:54 +02:00
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`err(1, program_argv[0]);`
First Commit 2021-07-13 21:33:12 +02:00			`}`

			`int main(int argc, char** argv) {`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`char username[64], wrong_pw_sleep[64], session_ttl[64], password[128];`
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`unsigned int sleep_us, tries, ts_ttl;`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00
Add version and usage if no arguments are given. 2021-07-17 18:29:39 +02:00			`if (argc == 1) {`
			`printf("RootDO version: %s\n\n", VERSION);`
			`printf("Usage: %s [command]\n", argv[0]);`
			`return 0;`
			`}`
First Commit 2021-07-13 21:33:12 +02:00
Error if euid != 0 This can happen if the rdo binary isn't set up as SUID. 2022-02-09 20:17:45 +01:00			`if (geteuid() != 0)`
			`errx(1, "The rdo binary needs to be installed as SUID.");`

First Commit 2021-07-13 21:33:12 +02:00			`int ruid = getuid();`
Move type declerations to start of main 2021-07-15 16:17:54 +02:00			`if (ruid == 0)`
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`runprog(&argv[1]);`
Removed extra whitespace 2021-07-15 12:46:27 +02:00
Check uid before opening file 2021-07-15 14:59:24 +02:00			`FILE* fp = fopen("/etc/rdo.conf", "r");`

			`if (!fp)`
			`err(1, "Could not open /etc/rdo.conf");`

Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`getconf(fp, "username", username, sizeof(username));`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00			`getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));`
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`sleep_us = atoi(wrong_pw_sleep) * 1000;`
Don't multiply session_ttl by 100 2021-07-16 00:15:04 +02:00			`ts_ttl = atoi(session_ttl) * 60;`
First Commit 2021-07-13 21:33:12 +02:00
Check uid before opening file 2021-07-15 14:59:24 +02:00			`fclose(fp);`

Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`if (getsession(getppid(), ts_ttl) == 0)`
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`runprog(&argv[1]);`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00
First Commit 2021-07-13 21:33:12 +02:00			`struct passwd* p = getpwnam(username);`
Be more specific with getpwnam() errors getpwnam() does not populate errno when the user simply doesn't exist, making err() print "Success" as the error. We now check for errno == 0, and print a different error message for it. 2022-02-09 20:06:28 +01:00			`if (!p) {`
			`if (errno == 0)`
			`errx(1, "The user specified in the config file does not exist.");`
			`else`
			`err(1, "Could not get user info");`
			`}`
First Commit 2021-07-13 21:33:12 +02:00
			`int uid = p->pw_uid;`
Remove unnecessary ruid==0 check This is not necessary, as we checked it already on line 62. 2022-03-08 16:59:45 +01:00			`if (uid != ruid)`
Be more specific with getpwnam() errors getpwnam() does not populate errno when the user simply doesn't exist, making err() print "Success" as the error. We now check for errno == 0, and print a different error message for it. 2022-02-09 20:06:28 +01:00			`errx(1, "You are not allowed to execute rdo.");`
First Commit 2021-07-13 21:33:12 +02:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`struct spwd* shadowEntry = getspnam(p->pw_name);`
First Commit 2021-07-13 21:33:12 +02:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`if (!shadowEntry \|\| !shadowEntry->sp_pwdp)`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`err(1, "Could not get shadow entry");`
First Commit 2021-07-13 21:33:12 +02:00
Move type declerations to start of main 2021-07-15 16:17:54 +02:00			`tries = 0;`
First Commit 2021-07-13 21:33:12 +02:00			`while (tries < 3) {`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`if (!readpassphrase("(rdo) Password: ", password, sizeof(password), RPP_REQUIRE_TTY))`
			`err(1, "Could not get passphrase");`
Get passphrase from TTY This is required for #1. 2021-07-13 22:23:27 +02:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`char* hashed_pw = crypt(password, shadowEntry->sp_pwdp);`
Clear password after we're done using it Previously, the password would not be cleared after we hashed it with crypt(), which lead to the password staying in memory for the duration of program runtime. This was only really an issue for incorrect passwords, as execve() purges our memory anyway, but attackers could use an incorrect but mostly correct password for privilege escalation. Due to this being a security issue, this commit also introduces rdo version 1.3. Fixes #7 2022-02-07 14:37:54 +01:00			`memset(password, 0, sizeof(password));`
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00
			`if (!hashed_pw)`
Make the hashing failure error message more descriptive This error occurs when the user we try to hash the password for doesn't have a password, as seen in #8. We now mention this, to avoid future confusion. 2022-02-12 08:07:48 +01:00			`errx(1, "Could not hash password, does your user have a password?");`
Clear password after we're done using it Previously, the password would not be cleared after we hashed it with crypt(), which lead to the password staying in memory for the duration of program runtime. This was only really an issue for incorrect passwords, as execve() purges our memory anyway, but attackers could use an incorrect but mostly correct password for privilege escalation. Due to this being a security issue, this commit also introduces rdo version 1.3. Fixes #7 2022-02-07 14:37:54 +01:00
Add checks for crypt() and getspnam() failure 2022-02-08 21:09:36 +01:00			`if (strcmp(shadowEntry->sp_pwdp, hashed_pw) == 0) {`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`setsession(getppid(), ts_ttl);`
Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`runprog(&argv[1]);`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`}`
Removed extra whitespace 2021-07-15 12:46:27 +02:00
Rename sleep_ms to sleep_us The variable name was misleading, as we didn't calculate the time to sleep in milliseconds, but in microseconds. 2022-03-08 17:03:14 +01:00			`usleep(sleep_us);`
First Commit 2021-07-13 21:33:12 +02:00			`fprintf(stderr, "Wrong password.\n");`
Fix various formatting mistakes in rdo.c 2021-07-13 22:14:46 +02:00			`tries++;`
First Commit 2021-07-13 21:33:12 +02:00			`}`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`errx(1, "Too many wrong password attempts.");`
			`return 1;`
First Commit 2021-07-13 21:33:12 +02:00			`}`